JP2022058749A - Safe provisioning for device and management thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a system for safe provisioning of a computerized device and management thereof.

SOLUTION: A system 100 has a distribution device which is connected to a computerized device so as to communicate with it and can be operated so as to receive digital assets and to load the digital assets to the computerized device. The system has a digital asset management system that is connected to a distribution device through a first safe communication channel and can be operated to generate digital assets to distribute them to the distribution device with restriction, and a provisioning controller that is connected to the distribution device through a second safe communication channel and to the digital asset management system through a third safe communication channel and can be operated to instruct the digital asset management system to transmit the digital asset to the distribution device. Before the digital asset is loaded, the computerized device does not function fully.

SELECTED DRAWING: Figure 1

COPYRIGHT: (C)2022,JPO&INPIT

Description

(Mutual reference of related applications)
This application is a US provisional patent application filed on November 14, 2016, No. 62 / 421,87.
No. 8, US Provisional Patent Application No. 62 / 421,852 filed on November 14, 2016,
And claim the interests of US Provisional Patent Application No. 62 / 487,909 filed April 20, 2017, all of which are incorporated herein by reference in their entirety.

The present invention is a system for safely provisioning computerized devices,
Regarding equipment and methods.

As computers become smaller and more compact and commercialized, manufacturers are manufacturing an increasingly diverse set of equipment, including one or more embedded computers or processors.
Computers within computerized equipment, among other things, control the operation of the equipment, collect, store and share data, communicate with other computers and other computerized equipment, and update their own software. be able to.

The Internet of Things (IoT) is a processor, electronic device, software, data,
A network of computerized physical devices with built-in sensors, actuators, and / or network connections that connect and exchange data to and exchange data over digital networks, including the Internet, mobile phone networks, and other wireless networks. to enable. Normally, each "thing" is uniquely identifiable through its embedded computing system and can interoperate within existing Internet infrastructure.

"Things" in the sense of IoT are, among other things, home appliances, enterprise equipment used in business and corporate environments, manufacturing machinery, agricultural equipment, and energy-consuming equipment in homes and buildings (switches, outlets, etc.). It can refer to a variety of computerized equipment such as light bulbs, televisions, etc.), medical and healthcare equipment, infrastructure management equipment, robots, drones, and transportation equipment and vehicles.

For example, most, if not all, modern vehicles (eg cars, trucks, aircraft, trains, ships, etc.) include some embedded processors or computers within their subsystems, at least some. It is controlled by a computer in the following manner. Similarly, more and more modern transportation infrastructure equipment (eg, traffic lights, traffic cameras, traffic sensors, bridge monitors, bridge control systems, etc.) includes at least one, and often many, embedded processors or embedded computer systems. , Computer controlled in at least some aspects. These computer control elements of a transportation network usually communicate with each other to exchange various types of information, and for safe, correct, efficient and reliable operation, they are between vehicles (V2V, C2C). Between other vehicles and / or between vehicles and infrastructure (V2I) in communications (also called vehicle-to-vehicle)
, C2I, also referred to as between vehicle infrastructures) can react to, respond to, change behavior, or depend on information received / transmitted to and from infrastructure elements in communications.

Computers in computerized equipment operate according to their software and / or firmware and data. To ensure safe and proper operation
Computerized equipment, as intended by the manufacturer, includes the appropriate software, firmware, executable instructions, digital certificates (eg, public key certificates), and cryptographic keys (in the following, collectively ". IoT is licensed because it must be properly initialized and updated with "digital assets" or "software").
It consists only of software that has been confirmed to work and devices that are running data. However,
Problems arise when an unauthorized person or organization (eg, a hacker) replaces or modifies software in a computerized device. Problems also arise when older software, untested software, unlicensed software, and / or software with known bugs are installed within computerized equipment.

Therefore, to prevent computerized equipment from operating with error-sensitive, erroneously functioning, untested, maliciously modified, or otherwise unwanted software and data. It is desired to provide improved systems, methods, and techniques for securely provisioning digital assets in computerized equipment.

A system for securely provisioning one or more computerized devices,
Methods, and equipment systems are disclosed herein. In various embodiments, the system is communicably connected to a computerized device, with a first distribution device capable of receiving digital assets and operating to load the digital assets into the computerized device. A digital asset management system that is connected to the distribution device via the first secure communication channel and can operate to generate digital assets and conditionally send them to the distribution device, and a second secure communication channel. A provisioning controller that is connected to the distribution device through, connected to the digital asset management system via a third secure communication channel, and can operate to instruct the digital asset management system to send the digital assets to the distribution device. And include. Due to the absence of digital assets, computerized equipment may not function or may only partially function before the digital assets are loaded onto the computerized equipment. A digital asset can be at least one of a digital certificate, a cryptographic key, and executable software.

In various embodiments, the system is connected to the digital asset management system via a fourth secure communication channel, communicable to the computerized device after the first distribution device is disconnected, and the first. It further includes a second distribution device capable of receiving the second digital asset and operating to load the second digital asset into the computerized device, and the provisioning controller further includes the second digital asset as the distribution device. It can be operated to instruct the digital asset management system to send to. The computerized device can become fully functional after the second digital asset is loaded into the computerized device.

In various embodiments, the digital asset management system runs one or more virtuals communicably connected to one or more computation engines that run the registry application and perform the cryptographic calculations required by the registry application. One or more virtual machines communicably connected to the machine and one or more compute engines that run the Registered Certifier application and perform the cryptographic calculations required by the Registered Certifier application, and the False Name Certifier application. And perform the cryptographic calculations required by the False Name Authentication Authority application 1
One or more virtual machines communicatively connected to one or more compute engines, and one or more that execute the first Cooperator application and perform the cryptographic calculations required by the first Cooperator application. To one or more virtual machines communicatively connected to the compute engine and to one or more compute engines that run the second collaborator application and perform the cryptographic calculations required by the second collaborator application. It can further include one or more virtual machines connected communicably.

In another embodiment, the digital asset management system has one or more virtual machines running a registration authority application, one or more virtual machines running a registration certification authority, and one or more running a pseudonym authentication authority application. Further includes a database operably connected to the virtual machine of, one or more virtual machines running the first Coordinator application, and one or more virtual machines running the second Cooperator application. Can be done.

In yet another embodiment, the system is operably connected to a provisioning controller to authenticate the manufacturer of the computerized device and allow the manufacturer to manage the provisioning of the computerized device. , And / or a portal that is operably connected to the provisioning controller, authenticates the installer of the computerized equipment, and allows the installer to manage the provisioning of the computerized equipment, and / or the provisioning controller. Connected to be operational and
It can further include a portal that authenticates the regulator of the computerized device and allows the regulator to manage the provisioning of the computerized device.

In yet another embodiment, the provisioning controller can be further operational to send digital assets (eg, executable software images) to the distribution device for loading into the computerized device. In yet another embodiment, the provisioning controller is associated with the digital device and can be further operational to create and maintain a log that stores information about the provisioning activity of the digital device, and the delivery device is in the log. It can be further activated to send information about the provisioning activity related to the digital device to the provisioning controller for storage.

In yet another embodiment, the provisioning controller may be further operational to authenticate the digital device before instructing the digital asset management system to send the digital asset.

The accompanying drawings, which are incorporated herein and constitute a portion thereof, exemplify embodiments of the present invention and, along with their description, serve to explain the principles of the present invention.

It is a block diagram which shows an example of the system for secure provisioning which is consistent with the embodiment of this invention.

FIG. 3 is a swimlane diagram illustrating an example of a process for securely provisioning computerized equipment, consistent with embodiments of the present invention.

FIG. 3 is a swimlane diagram illustrating another example of a process for securely provisioning computerized equipment, consistent with embodiments of the present invention.

It is the first part of the block diagram of an example of a system for implementing a scalable and secure digital asset management system consistent with an embodiment of the present invention.

It is the second part of the block diagram of an example of a system for implementing a scalable and secure digital asset management system consistent with an embodiment of the present invention.

FIG. 3 is a block diagram of an example computing system that can be used to host a system and method consistent with embodiments of the present invention.

Here, various embodiments of the present invention are referred to in detail, examples of which are shown in the accompanying drawings. Whenever convenient, use the same reference numerals throughout the drawing to refer to the same or similar parts.

To ensure safe and proper operation in the field, embedded devices (eg electronic control units (ECUs) used in vehicles) are properly initialized during manufacturing by provisioning digital assets such as security assets. Need to be provisioned. Digital assets can include various encryption keys, unique identifiers, digital certificates, and software. In most cases, the origins and manufacturing plants of these digital assets are geographically different, and these locations are traditionally interconnected via insecure internet communications. Therefore, it is desirable to create an end-to-end secure channel from the origin of these digital assets to the equipment so that the digital assets cannot be accessed or altered by malicious parties or accidentally.

Traditional network security protocols for end-to-end protection, such as TLS / SSL, have the disadvantage that both communicators must have a pre-shared key or specific secret security material in advance. This creates periodic technical problems in that some early confidential material must be present in advance in order to provision digital assets. This issue involves how to protect the first secret material. This problem is especially serious for computerized equipment, as a single version of the initial software is usually loaded into computerized equipment during manufacturing to simplify logistics. If this initial software needs to include initial security material, it must have a global secret. As a result, jeopardizing early security documentation would lead to the leakage of all digital assets provisioned on all equipment as they all share the same global secret. Systems, methods, and equipment consistent with this disclosure address these and other issues with traditional provisioning systems.

Provisioning generally refers to a series of actions taken to prepare a computerized device with the appropriate data and software. It can also include a series of actions taken to properly install the equipment in its operating environment and prepare it for operation. The action is to load the appropriate digital assets (eg, operating system, device driver, middleware, application, digital certificate, etc.) into the device's digital storage (eg, memory), and (if necessary) each specific. Includes the proper customization and configuration of certain digital assets that may be device-specific on the device. Actions can also include verifying that the computerized device is a legitimate device created by a legitimate device manufacturer and not a copy or counterfeit device.

Actions can also include installing the device correctly in its operating environment and testing it to verify that the device is operating properly. Equipment may be built by one manufacturer and later installed in a larger system or equipment by another (eg, an onboard unit (OB) made by a parts manufacturer.
Due to the fact that U) may be attached to vehicles made by automakers), the ability to safely provision only equipment that has been confirmed to be safe is complex. Improperly installed equipment may not function properly.

Various embodiments consistent with the present invention provide secure provisioning of computerized devices, including IoT devices. Such embodiments prevent or prohibit malicious, negligent, or erroneous alteration, modification, update, or release of digital assets used by computerized equipment, computerized equipment and them. Helps prevent or prohibit improper installation of your software.

Various embodiments consistent with the present invention can also generate audit logs, records, reports, etc. of secure provisioning processes, which can be used to analyze and solve problems discovered later. ..

Various embodiments consistent with the present invention can also provide a secure provisioning and management platform that can be provided as a service to equipment and system manufacturers.

FIG. 1 is a block diagram showing an example of a system 100 for secure provisioning of computerized equipment, consistent with embodiments of the present invention. As shown in the example of FIG.
The system 100 includes a provisioning controller 120. The provisioning controller 120 is an embedded hardware security module (HSM) that securely generates and stores digital security assets and securely performs various encryption and sensitive calculations.
Can be implemented as a server computer with (eg, having at least one processor and associated memory). HSMs protect digital security assets such as cryptographic keys and other sensitive data from possible attacker access. In various embodiments, the provisioning controller 120 authenticates the user of system 100 and
It functions to communicate securely with them, securely communicates with and manages one or more distribution devices 108, 131, and securely communicates with the Digital Asset Management System (DAMS) 110. It works to direct actions, works to create and save provisioning records, works to create, save, and deliver provisioning records,
Functions to create, store, and distribute audit logs, DAMS110 and distribution devices 108, 13
It works to create and distribute certificates to cryptographically connect elements of 1, and if users and managed devices become untrusted, it works to invalidate them as needed, business. It works to create and deliver secure encrypted backups of critical keys and data for offsite storage for continuity and disaster recovery.

As shown in the example of FIG. 1, the provisioning controller 120 is the database 125.
The database 125 is connected to the devices 106a and 106b (10 in total).
It can store data, information, and digital assets related to secure provisioning (sometimes referred to as 6).

The provisioning controller 120 is also securely communicably connected to the manufacturer's user portal 115, which can be implemented, for example, as a server or as an interface to the provisioning controller 120. In various embodiments, the staff 109 of the equipment manufacturer 105 is the manufacturer's user portal 1.
Using 15, provisioning controller 120 (and therefore DAMS11)
You can interface with 0) and manage their device provisioning activity. In various embodiments, the manufacturer's user portal 115 is the username,
Identification information such as passwords, two-factor identification data, face recognition images, and fingerprints can be collected from staff user 109 and the identification information can be provided to the provisioning controller 120. The provisioning controller 120 can authenticate staff 109 before allowing staff 109 access to the secure provisioning system 100. For example, the provisioning controller 120 searches for identification information that is associated with staff user 109 and has been previously validated and stored in its database 125, and the stored identification information is collected by the manufacturer's user portal 115. Can be compared with. Alternatively, the provisioning controller 120 or DAMS User Portal 115 may be integrated with the user's corporate identity and authentication system to determine if Staff 109 is authorized to use System 100. In various embodiments, the provisioning controller 120 or DAMS user portal 11
5 can assign roles to staff 109 who have successfully authenticated and limit their actions within the system 100. In some embodiments, the provisioning controller 120 can only allow access if the two sets of identification information match.

Similarly, the provisioning controller 120 is communicably connected to the installer user portal 116, which may be implemented, for example, as a server or as an interface to the provisioning controller 120. In various embodiments, equipment installer staff 132 can use the installer user portal 116 to interface with provisioning controllers 120 (and hence DAMS110) to manage their equipment installation and provisioning activities. .. The provisioning controller 120 authenticates staff 132 before authorizing staff 132 and plays a role in them before allowing staff 132 to access the secure provisioning system 100 and perform authorized functions on the system. Can be assigned.

Similarly, the provisioning controller 120 is also communicably connected to the regulator portal 117, which can be implemented, for example, as a server or as an interface to the provisioning controller 120. In various embodiments, when authenticated by the provisioning controller 120, the regulator 140 interfaces with the provisioning controller 120 using the regulator portal 117 to interface with the manufacturer 104, installer 130, equipment 106, and / or equipment 106. Can manage reviews and authorizations for software / digital assets installed in.
The provisioning controller 120 can authenticate the regulator 140 before allowing the regulator 140 to access the secure provisioning system 100. In some embodiments of the system 100, the regulator 140 and the regulator portal 117 are optional.

The provisioning controller 120 is further communicably connected to the DAMS 110. In various embodiments, the DAMS 110 can be implemented as a server, device, or secure device and / or system of servers. The DAMS 110 securely retrieves the public key from the provisioned end entity device via the distribution device 108, 131, or other secure and authenticated connection, and the digital certificate and related data installed on the device 106. Safely supply. DAMS 110 also provisions, installs, and provisions computerized equipment 106 from manufacturers 105 and installers 130.
Status information related to functionality and the like is safely received via the distribution devices 108 and 131. In addition, DAMS110 can perform this provisioning at a single site or multiple sites as shown in FIG. As described in more detail with respect to FIG. 4, the DAMS 110 can include the following key elements: Root Certificate Authority (CA), Policy Generator, CRL Generator, Fraud Authority, Intermediate CA, Registered CA, Coordination. Station,
Pseudonym CA, and registration authority.

DAMS110 adds new functionality, 20 by William Whyte et al.
2013 IEEE Vehical Network Networking Co in December 2013
Improve the components and functionality described in the paper "Secure Credit Certificate Management System for V2V Communication" by nference. In various embodiments, DAMS1
10 includes multi-step programming and flexible management (eg, allowing the regulator 140 to be included). Various embodiments of DAMS110 also include a single DAMS1.
10 enables features that allow different subscribers to be provided with different levels of provisioning. Various embodiments of DAMS110 also include a subscriber for a period of time (eg, eg).
Allows features that allow different digital certificate usage (such as one week instead of three years as in traditional systems) to be assigned to different digital certificates (per week). Various implementations of DAMS 110 so that computerized equipment 106 of a particular manufacturer (eg, OEM vehicles) can remain within the manufacturer's scope (eg, their URLs indicate their names). The form may also provide a subscriber-specific URL.

As shown, the provisioning controller 120 also includes distribution devices 108, 1
It is communicably connected to 31. In various embodiments, the distribution devices 108, 131 can be implemented, among other things (as shown), as stand-alone secure devices installed on company premises, or as web services or cloud services. In various embodiments, the distribution devices 108, 131 are preferably reliable endpoint devices for securely transmitting and receiving digital assets and other information to and from the DAMS 110 and the provisioning controller 120 via a dedicated non-Internet communication channel. It will be realized. As shown, distribution devices 108, 131 also digital assets devices 106a, 106.
It connects to devices 106a, 106b either directly or indirectly to download to b and receive data from it. In various embodiments, distribution devices 108, 131 include a hardware security module, an enhanced operating system (OS), an internal firewall, and an internal host intrusion detection / prevention system (eg, at least one processor and associated memory). Can be implemented as a box containing a server computer. The delivery device may be specifically designed to operate in an unreliable environment and still provides reliable and reliable operation. The distribution device has a secure communication channel between itself and the secure provisioning controller 120 and DAMS 110. This channel is used to control distribution equipment and send and receive provisioning-related data and log information. The distribution device can also have a secure communication channel to the tester 107 used to program or provision the device 106. This channel protects provisioning and log data from being leaked or altered on the manufacturing location's communications network. The distribution device 108 also establishes a direct secure communication channel with the programmed device 106 so that the provisioning data cannot be compromised or modified by a third party (including the rogue tester 107). can do. In various embodiments, the distribution device can collect other data, such as a public key and a microprocessor serial number, from the device 106 that it intends to provision. The distribution device can transmit this information to the provisioning controller 120 and / or DAMS 110. The distribution device can also receive data and commands and other information from the provisioning controller 120 and / or DAMS 110 for programming within device 106. The distribution device can return its own log data, and the distribution device is a tester 10
Data can be returned from 7 to the provisioning controller 120 and / or DAMS110.

As illustrated with respect to the device manufacturer 105, the distribution device 108 is a tester 107 (
For example, it can be communicably connected to computerized manufacturing equipment, product inspection equipment, etc.), and the tester 107 is then connected to equipment 106a manufactured by manufacturer 105, such as OBU equipment. Manufacturer 105 may include or be a factory that manufactures and / or supplies the computerized equipment 106a to the market. As one of many possible examples, the computerized device 106a is an onboard unit (OBU) that is later installed in the vehicle for communication between the vehicle and the transportation infrastructure equipment.
) Can be an embedded universal integrated circuit card (eUICC) used in cellular modems for telecommunications. It can also be a V2V secure microprocessor mounted on the OBU to communicate with other vehicles and roadside units (RSUs). These newly manufactured equipment 106a must be properly provisioned by a digital asset (eg, a digital certificate from DAMS 110) in order to operate properly. The staff 109 of the manufacturer 105 is the user portal 11.
5 can be used to interact with the provisioning controller 120 and manage product provisioning activity by DAMS110.

As shown with respect to the installer 130, the distribution device 131 may optionally be communicably connected directly to the device 106b while or after the device 106b is installed in its operating environment. The installer 130 may include or may be a factory or store that installs computerized equipment 106b in their operating environment (eg, installs an OBU in an automobile). Upon installation, the computerized device 106b must be more properly provisioned with digital assets (eg, additional digital certificates from DAMS 110) in order to operate properly. The staff 132 of the installer 130
The installer user portal 116 can be used to interact with the provisioning controller 120 to manage product provisioning activity with DAMS 110.

In various embodiments, the provisioning controller 120, the distribution devices 108, 131
, And DAMS110 can have secure and publicly inaccessible communication links or channels between them, and in various embodiments, all of the communication links shown in FIG. 1 are secure and publicly inaccessible. It can be a communication channel. In various embodiments, these secure channels are encrypted and mutually authenticated to prevent unauthorized endpoints from communicating within this secure infrastructure. Multiple security mechanisms can be used to protect these communication channels so that the inner layer remains secure even if the outer layer is somehow compromised. As an example, a mutual authentication TLS tunnel can be used as an outer layer along with an inner layer using another protocol, such as a proprietary secure communication protocol. These secure connections between infrastructure components, including the system 100, are used to protect confidential communications between the components and ensure their proper operation. Using these secure routes, the provisioning controller 120 and DAMS110 can transmit digital data between the components without fear of being leaked or altered during the transfer. Command and control information can also be passed through these channels. For example, the provisioning controller 120 can control to which distribution devices 108, 131 the particular digital assets and data are transmitted. It can also instruct delivery devices 108, 131 how to weigh this data to device 106 on the production line on which it is provisioned. Further, the distribution devices 108, 131 can report the information back to the provisioning controller 120 without worrying about the information being leaked or altered during transmission. For example, the secure provisioning controller 120 programs the distribution devices 108, 131 to provision up to 10,000 devices using any type of digital asset (eg, certificate, software, fuse content, etc.). be able to. The distribution devices 108, 131 can count the devices they are provisioning and report it to the provisioning controller 120 when it reaches its limit. In various embodiments, the provisioning controller 1
Equipment managed by 20 (eg 108, 110, 131, 115, 116, 11)
7) includes the ability to deactivate them if they do not communicate with the provisioning controller 120 on a regular basis and therefore if they are stolen and useless. This feature prevents lost / stolen devices from continuing to operate and provisioning the device 106 as if they were still in the proper manufacturing environment.

Continuing to refer to the example shown in FIG. 1, during operation, the distribution device 108 located at the manufacturer 105 safely receives the digital assets from the DAMS 110 and supplies them to the tester 107 for the device 106a. When each device 106a is manufactured by the manufacturer 105, the tester 107 communicates with the device 106a to obtain information such as its unique identification number and status from the device 106a and obtains a digital asset (eg, a digital certificate). Download or otherwise install in the device. The tester 107 also has a distribution device 1 from the device 106a.
Information (for example, provisioning status) can be supplied to 08, and the distribution device 1
08 uses the information DAMS110 and / or the provisioning controller 120.
Communicate securely with. In some embodiments, the tester 107 is a distribution device 108 and a device 1.
A software transport layer security (TLS) agent that securely transports data to and from 06a can be included, which is actually each device 106a.
DAM via distribution device 108 and tester 107 using the temporary key associated with
A secure encrypted communication path is created between S110 and the device 106a.

After it is first provisioned, manufacturer 105 installs equipment 106a, installer 1
Shipped to 30, the installer 130 installs the device 106b. In various embodiments, the device 106a is not functioning prior to the initial provisioning, and after the initial provisioning by the manufacturer 105, the device 106a can be partially functional but still fully functional. It is not working. In such embodiments, the initial provisioning makes the device functional only to the extent required for installation and further final provisioning.
It is needed to be fully operational.

The installer 130 installs the device 106b in its operating environment, and the staff member 132 of the installer 130 notifies the provisioning controller 120 of the fact via the installer portal 116. This notification is proof that the installation has been successfully completed and preferably includes information that uniquely identifies the device 106b to the provisioning controller 120. In some embodiments, the distribution device 131 can automatically notify the provisioning controller 120 after inquiring the device 106b for status and identification information. In various embodiments where the installer 130 proves that it has properly installed the device 106b via the installer portal 116, this proof may be recorded / stored in the database 125 by the provisioning controller 120. The proof may include specific test data associated with each particular installed device 106b, such as radio transmission power measurement or GPS antenna position verification.

In response to the installation notification, the provisioning controller 120 is (i) manufacturer 105.
Equipment 106b is listed in its database 125 as equipment legally manufactured by (ii) equipment 106b is listed in its database 125 as first successfully provisioned by manufacturer 105. That, and (
iii) Verify that the installer 130 is listed as an authorized installer in its database 125. If this verification is successful, the controller 120 will be the device 10.
DAMS1 so that 6b can function properly when installed in its operating environment.
Instruct 10 to send a digital asset (eg, a pseudonym certificate (PC)) and / or other information needed to provision device 106b operably.

In various embodiments, the regulator 140 interacts with the provisioning controller 120 via the regulator portal 117 to the installer 130 and / or the manufacturer 1.
Identify, verify, and manage 05, with an unauthorized installer (eg, a hacker) in System 1
Prevents the acquisition of genuine digital assets from 00. Staff members of the regulator 140 can be authenticated by the provisioning controller 120 and have a unique ID with the system 100 so that their actions can be uniquely recorded. In various embodiments, the regulator 140 uses the regulator portal 117 to query the provisioning controller 120 for validation reports, installer actions, number and identification information of equipment 106a manufactured, fully provisioned installed. A copy and report of information recorded by the controller 120, such as the number of devices 106b and identification information, can be obtained.

In various embodiments, the installer 130 must be certified as authorized by the provisioning controller 120 in order to interact with the system 100.
In order to be licensed, the installer 130 may have to enter into an appropriate contract document stating, for example, that the device 106b is properly installed in the target environment (eg, target vehicle or site). The installer 130 may be required to prove, for example, other contractual elements by the regulator 140. Preferably, each installer 13
0 has a unique ID within system 100 so that the action can be uniquely recorded by the provisioning controller 120.

The described embodiments of the system 100 and its functions are required only for the equipment 106 manufactured by the manufacturer 105 and properly installed and tested by the licensed installer 130 to make the equipment 106 operational. Guarantee full provisioning with digital assets. The provisioning controller 120 produces extensive logs and reports of who took what actions at each stage of the provisioning process, providing important auditing capabilities not found in traditional systems.

Those skilled in the art will appreciate that the details of the components, processes, data, operations, and embodiments shown in FIG. 1 are examples presented for the sake of brevity and clarity of description. This example is not intended to be limiting and many modifications are possible so that other components, processes, details of embodiments, and modifications can be used without departing from the principles of the invention. For example, in FIG. 1, only one manufacturer 105 and one installer 1
Only 30 and only one regulator 140 are shown, but other embodiments can have any number of each of these entities. In another example, DAMS
Although 110 and the provisioning controller 120 are shown as separate devices,
Other embodiments may combine those functions into a single device (eg, a single server). As yet another example, the same can be done for portals 115-117.
In yet another example, System 100 is an asset management device (AMA,) as described in US Patent Provisional Application No. 62 / 421,852, which is incorporated as a reference filed on November 14, 2016. (Not shown) can be further included. In one such embodiment, A
The MA may be communicably connected to the provisioning controller 120 and / or the distribution devices 108, 131 and / or DAMS 110. In various embodiments, AM
A allows the production coordinator to manage the configuration and construction of the product (eg, equipment 106) easily and efficiently, and allows the asset owner to manage the inventory of digital assets easily and efficiently. Can include user-friendly GUIs and features.

FIG. 2 is a swimlane diagram showing an example of a process 200 for securely provisioning computerized equipment, consistent with embodiments of the present invention. In various embodiments, some or all of the illustrated process 200 or operation is hardware by code running on a general purpose computing system (which may include one or more processors or one or more computing subsystems). It can be performed by a hardware-only system or by a system that is a hybrid of the two. As shown across the top of FIG. 2, the entities involved in process 200 are computerized equipment 106.
Includes manufacturer 105, distribution equipment 108 located at manufacturer 105, provisioning controller 120, and DAMS 110. In various embodiments, these entities can be as described with respect to FIG. 1 and throughout the present disclosure, and can so communicate with each other.

As shown in the example of FIG. 2, process 200 begins at 205 where the manufacturer 105 (eg, staff member 109) requests a digital asset provisioning service from the provisioning controller 130, where the digital assets are provisioned to device 106a. (Eg, used by equipment 106a), the request can identify the equipment 106a to which the digital asset is destined. The request is, for example, that the manufacturer 105 requests provisioning service for the new product 106, or the existing product 16
You may be making a new provisioning service request for. In various embodiments, this operation may include an authorized user logging on to the provisioning controller 130, eg, via the user portal 115. In some cases, the requested digital asset may be secure credentials such as, for example, a registration certificate, executable code executed by device 106, digital operating parameters, and the like. The registration certificate requires all participants to share a valid registration certificate (eg, USDOT V2X ecosystem), and even authorized participants (eg, USDOT V2X ecosystem example, vehicle). As an authorized participant in the ecosystem who can receive a fake name certificate that enables communication and operation of equipment 106 in the ecosystem (to enable communication and operation between and the roadside infrastructure) A public key certificate that identifies its owner.

At 210, the provisioning controller 120 determines if the user from the manufacturer 109 is an authorized user. In some embodiments, the provisioning controller 120 also at 210, device 1 to be provisioned.
It can be determined whether 06a (eg, product) is licensed for use with system 100. In some cases, a list of authorized devices is provided by the regulator 140 of FIG. 1 and the provisioning controller 120 is used to make this decision.
May be used by.

If the user (and / or product) is not authorized, the provisioning controller 120 rejects the request to the digital asset provisioning service (not shown in FIG. 2). On the other hand, if the authorized user is making a request (eg, for an authorized product) (210, yes), the provisioning controller 120 (eg, (21).
Instruct, instruct, or otherwise control the DAMS 110 to satisfy the service request (by sending a service request instruction to the DAMS 110).

At 220, in response to receiving a request from 215, and subject to it, the DAMS 110 sets itself to initiate service to device 106a based on that request. In some embodiments, the DAMS 110 may also send instructions to the distribution device 108 to configure the distribution device 108 to service the device 106a (not shown).

At 222, DAMS 110, as required in 205, device 106a.
Generate, create, calculate, and / or search for digital assets for. In various embodiments, the DAMS 110 can create or generate a public / private key pair as well as a required digital security asset such as a registration certificate and a pseudonym certificate for device 106a.

In an alternative embodiment of operation 222 (not shown in FIG. 2), the DAMS 110 is a registration and pseudonym disclosure associated with device 106a with digital asset generation information (eg, generated by device 106a or retrieved from device 106a). The distribution device 108 requests and receives the key and the data that uniquely identifies the device 106a (for example, the serial number of the microprocessor). In such an embodiment, the DAMS 110 then uses the registration and pseudonym public key to generate a digital asset (eg, a registration certificate for device 106a and an appropriate number of pseudonym certificates).

At 225, the DAMS 110 transmits the digital asset to the distribution device 108 of the manufacturer 105 that requested the digital asset service at 205. For example, the DAMS 110 can securely transmit a public / private key pair, a registration certificate, and a pseudonym certificate to the distribution device 108 of the manufacturer 105.

At 226, the DAMS 110 sends log information about the digital asset to the provisioning controller 120. In various embodiments, the log information is a request and transfer of a digital asset, such as a requester's ID, a digital asset's ID, a distribution device's ID, a request and transmit action time stamp, a received microprocessor serial number, and the like. May contain information that describes. In some embodiments, the log information may include a copy of the digital asset. At 227, the provisioning controller 120 receives the log information and
For example, it is stored in the database 125. In fact, the provisioning controller 120
Maintains an audit trail of all activities occurring within System 100, thereby assembling many types of data, including data on how and when equipment 106a can be built and provisioned by manufacturer 105. be able to. Such data and log information may be used for billing and auditing purposes.

At 230, the distribution device 108 receives and stores a digital asset (eg, a public / private key pair, a registration certificate and a pseudonym certificate) transmitted by the DAMS 110.

At 235, the distribution device 108 transfers digital assets from the distribution device 108 to the device 106a.
Request and receive digital security assets such as public keys that can be used to securely transfer to device 106a. Various types of equipment 106a are probably equipment 106
It has the ability to generate a temporary key pair using a secure processor built into it, and the public key can be part of the temporary key pair. At 240, the distribution device 108 uses the digital security asset (eg, public key) to securely transfer the digital asset (eg, registration certificate) to the device 1.
Send to 06a. In various embodiments, the distribution device 108 may, for example, form a virtual private network (VPN) with the device 106a and use the public key of the device 106a to securely transmit digital assets therein. can.

In various embodiments, the distribution device 108 may be connected to the device 106a using Transport Layer Security (TLS) between it and the tester 107.
Communication with can be protected. In an embodiment where it is desirable to have secure communication directly to device 106a, the system creates a temporary public key pair on device 106a and certifies the public key from distribution device 108, including the public key of distribution device 108. Used with the book, equipment 106
A secure tunnel to a can be created. In such an embodiment, the device 106a
Executes a special code in the system 100 using the root public key of the system 100, and the distribution device 1
Validate the certificate that 08 sends to it.

Once a secure path is established between device 106a or tester 107 and delivery device 108, device 106a creates a registration and pseudonym public key pair (eg, for the V2X ecosystem), public keys and others. Data is exported to the distribution device 108, and the distribution device 108
Can then send this data to the DAMS 110 and the provisioning controller 120. DAMS11, as described above with respect to the alternative embodiment of operation 222.
0 can use the received public key to create a registration certificate and a pseudonym certificate, and in some embodiments, there can be a large number (eg, 3,000) of pseudonym certificates. In this alternative of one embodiment, the DAMS 110 returns these certificates to the distribution device 108 in operation 225, as described above. In some other embodiments, the DAMS 110 may send these certificates to the distribution device 131 instead of 108, depending on where the provisioning is being performed.

In some embodiments, the distribution device 108 can communicate directly with the device 106, for example, if the device 106 has its own wireless or wired communication capabilities and is at least partially operational. In another embodiment, the distribution device 108 can indirectly communicate with the device 106 via an intermediate device such as a tester 107.

The device 106a receives the digital asset and stores it for use during operation. For example, if the device 106a is an automotive unit (OBU) or electronic control unit (ECU) and the digital asset is a security asset (eg, a public key certificate) required to join the wireless network, the digital security asset. Is stored by the OBU. When the OBU is later installed in the car and activated, it will attempt to connect to the wireless network. Before allowing the OBU to connect to the network, the network attempts to authenticate the OBU. The OBU can authenticate and participate in the network only if it has the digital security assets provided by the distribution device 108 at the manufacturer 105.

At 245, the distribution device 108 transfers the digital assets transmitted at 240 to device 106a.
Device 10 provides status information indicating whether or not has been successfully received and installed (for example, stored).
Receive or access from 6a.

At 250, the distribution device 108 provisions the status information controller 1.
Send to 20. Then, at 255, the provisioning controller 120 receives and stores the status information in relation to the log information stored in the operation 227. Therefore, the provisioning controller 120 continues the audit trail or audit log for all of the activities of the system 100 associated with each particular device 106. In various embodiments, the audit log is for each device 106 a successful manufacturer provisioning failure (eg, operations 235-245), digital asset identification information (and / or a copy of the digital asset itself). , Information indicating the type of encryption, etc. can be included.

At 270, if the device 106a is successfully provisioned with a digital asset, the manufacturer 105 releases the device to the market. For example, the manufacturer 105 can physically ship the device 106a to a company that installs the device in its operating environment (eg, the company 130 of the installer in FIG. 1). In some embodiments, the device 106a may be fully programmed or provisioned at this point and capable of operating at full functionality. On the other hand, in other embodiments, the device 106a may only be partially programmed or provisioned at this point and may not or may not be fully functional.

The examples shown in FIG. 2 are for illustrative purposes only and are not intended to be limiting. moreover,
The illustrated process 200 is a somewhat simplified example to clarify the description of a particular novel and innovative configuration consistent with a particular disclosed embodiment, but this example is limited. Many transformations are possible, unintentionally. For example, the functions and actions are shown to be performed in a particular order, but the order described is merely an example and may perform a variety of different action sequences that are consistent with the particular embodiments disclosed. Can be done. Further, the actions are described solely as separate steps for illustration purposes, and in some embodiments, multiple actions are performed simultaneously and / or as part of a single calculation or larger action. Can be done. The actions described are not intended to be exhaustive, limited, or absolute, and various actions can be modified, inserted, or deleted. As an example of a variant, Figure 2 is generally described in the context of a single digital asset (eg, a single digital certificate), but systems and processes are described in the context of multiple digital assets (eg, two or more digital certificates). It works in the same way to process the calligraphy). As another example, if the device 106a does not have a secure communication function, the operations 235 and 240 can be deleted and the distribution device 108
Can communicate with device 106b using unencrypted communication.

As yet another example, in various embodiments, the provisioning controller 120,
Alternatively, a delegation station such as a dedicated signature device sends the software to the distribution device 108 in the same manner.
Other or additional digital assets, including digital assets such as firmware, fuse blobs, manifest files, etc., can be loaded onto device 106b. In such an embodiment, the provisioning controller 120 may additionally or alternatively search for, acquire, or otherwise direct access to the requested digital asset from the storage. For example (not shown in FIG. 2), the provisioning controller 120 or its authorized delegate is an executable software image loaded and executed on device 106a (eg, a compiled computer program stored in database 125). Can be searched for and sent to the distribution device 10 to program the executable software image into the device. In various embodiments, the digital assets accessed by the provisioning controller 120 are securely supplied, released, and / or licensed by the manufacturer 105 of the device 106a so that malicious software cannot be loaded into the device 106a. It can consist only of software that has been provisioned. In some embodiments, the digital assets retrieved by the provisioning controller 120 can be stored in a storage device or database associated with the provisioning controller 120, such as the database 125 of FIG.

FIG. 3 is a swimlane diagram showing an example of a process 200 for securely provisioning computerized equipment, consistent with embodiments of the present invention. In various embodiments, by code running on a general purpose computing system (which can include one or more processors or one or more computing subsystems), by a hardware-only system, or a hybrid of the two. By the system that is
Process 300 or some or all of the illustrated operations can be performed. As shown across the top of FIG. 3, the entities involved in the process 300 are the installer 130 of the computerized device 106, the distribution device 131 located at the installer 130,
Includes provisioning controller 120, and DAMS110. In various embodiments, these entities can be as described with respect to FIG. 1 and throughout the present disclosure, and can so communicate with each other.

As shown in the example of FIG. 3, process 300 begins at 305 where installer 130 receives equipment 106b (eg, OBU or ECU) manufactured and released or shipped by manufacturer 105 (see operation 270 of FIG. 2). ). At 310, the installer 130 can install the equipment 106b in its operating environment, such as a larger system. For example, the installer 130 can be an automobile manufacturer that purchases an OBU from a manufacturer 105, and the installer 130 can install an OBU in an automobile. In various embodiments, installing the device 106b can include testing the operation, function, etc. of the device 106b after installation, and collecting relevant status data.

In some embodiments, the device 106b is only partially provisioned and may not be fully functional. For example, the manufacturer 105 of the device 106b may include the device 106b.
Needs to be further provisioned with another digital certificate (eg, a pseudonym certificate) to get full functionality (eg, functionality to communicate with another fully programmed device 106). In addition, the device 106b may be provisioned only with a registration certificate.

At 315, the installer 130 (eg, staff member 132) sends the installation status data to the provisioning controller 120. In various embodiments, the installation status data is an immutable identifier for the installed equipment (eg, a serial number such as a public key from a key pair that is once generated and never erased, or other fixed unique identification. Information) is included. The installation status data is also a unique identifier for the installer 130, equipment 106b.
Information about when and how it was installed, information about the results of tests performed on the installed equipment 106b, specifications applicable to installer 130, contractual requirements, and / or instructions, and / or others. Other information, such as information proving that the device 106b has been installed, can be included in accordance with similar information in.

At 320, the provisioning controller 120 determines whether the user from the installer 130 is an authorized user. Otherwise, the provisioning controller 120 rejects installation status communication (not shown in FIG. 3). On the other hand, if the authorized user makes a request (320, yes), the provisioning controller 120 determines if the device 106b identified in the installation status data is an authorized device (325). In some embodiments, the provisioning controller 1
20 indicates that 1) a record for device 106b exists in its database 125 and 2) that record indicates that device 106b was successfully provisioned to manufacturer 105, 3
The record verifies the database 125 against previously stored information indicating that the device 106b has been sent to the installer 130 (verified to be an authorized installer in 320). It can be determined that the device 106b is licensed.

If the device identified by the installation status data is not authorized, the provisioning controller 120 rejects the installation status communication (not shown in FIG. 3). On the other hand, if the device 106b identified in the installation status data is authorized (325, yes).
At 330, the provisioning controller 120 stores installation status data along with log information associated with device 106b. For example, the log information associated with the device 106b may have previously been stored in the database 125 as described for operation 227 in FIG.

At 335, the provisioning controller 120 (eg, installer 130)
Directs, orders, or otherwise controls the DAMS 110 to meet the provisioning request (by sending a request to the DAMS 110 to provision the device 106b in.). At 340, in response to and / or subject to receiving a request from 335, DAMS110 generates and / or retrieves the digital assets requested at 335. In various embodiments, the DAMS 110 can create or generate the requested digital asset, such as a pseudonym certificate or other public key certificate, as described with respect to FIG. In various embodiments, DAMS110, or D
The provisioning controller 120, on behalf of AM110, may be added or replaced.
Digital assets requested from storage, such as executable images previously stored in database 125 for use in equipment of the type 106b, can be searched, retrieved, or otherwise accessed.

At 345, the DAMS 110 transmits the digital asset to the distribution device 131 of the installer 130 that transmitted the installation status at 315. For example, the DAMS 110 can securely transmit the pseudonym certificate to the distribution device 131 of the installer 130.

In 350, the distribution device 131 operates from 230 to 24 as described with respect to FIG.
Perform the same or similar operation as 5. At 355, the distribution device 131 transmits status information to the provisioning controller 120. Then, at 360, the provisioning controller 120 receives and stores the status information related to the information previously stored in relation to the device 106b such as the status information stored in the operation 227. Therefore, the provisioning controller 120 continues the audit trail or audit log for all of the activities of the system 100 associated with each particular device 106.

The process 300 shown in FIG. 3 is an example for purposes of illustration and is not intended to be limiting. Further, the illustrated process 300 is a somewhat simplified example to clarify the description of a particular novel and innovative configuration consistent with the particular embodiment disclosed, but many modifications are possible. Is. For example, the functions and actions are shown to be performed in a particular order, but the order described is merely an example and may perform a variety of different action sequences that are consistent with the particular embodiments disclosed. Can be done. Further, the actions are described solely as separate steps for illustration purposes, and in some embodiments, multiple actions are performed simultaneously and / or as part of a single calculation or larger action. Can be done. The actions described are not intended to be exhaustive, limited, or absolute, and various actions can be modified, inserted, or deleted.

4A and 4B are both block diagrams of an example of a system 400 for implementing a scalable and secure digital asset management system according to an embodiment of the present invention. Various embodiments of the system 400 can be used for a very large number of device transactions and certificate generation processes. In various embodiments, the system 400 can be implemented using multiple servers, hardware security modules, multiple computing or computing engines, and multiple virtual machines (VMs). An example of the system 400 can be implemented in a private data center, a cloud data center (eg, AWS), or a hybrid of a private data center and a cloud data center.

In various embodiments, the system 400 can be or be part of a digital asset management system (DAMS) 110 that can function as described with respect to FIG. 1 and other sections of the present disclosure. Or can interact with it.

As shown in the example of FIG. 4, this architecture can include two provisioning controllers 120 (ie, primary and standby) (preferably implemented on separate servers). The two provisioning controllers 120 include functions such that objects, data, etc. contained in the primary provisioning controller are copied or otherwise contained in the standby (secondary) provisioning controller. If the primary provisioning controller goes offline for any reason, the standby provisioning controller can be brought online to replace the primary provisioning controller. This provides continuous (or very high) availability of the provisioning controller 120. In various embodiments,
The primary provisioning controller and the standby provisioning controller can be as described with respect to FIG. 1 and other sections of the present disclosure. In various embodiments, the provisioning controller 120 can connect to the system 400 in the same or similar manner as described herein with respect to the connection and communication between the provisioning controller 120 of FIG. 1 and the DAMS 110. In general, the provisioning controller 120 is a system 40 in which only explicitly authorized elements participate.
Manage the system elements that make up the infrastructure so that you can interact with 0. In various embodiments, the provisioning controller 120 is a user (eg, manufacturer 1).
It can be integrated with the employee identification and authorization system of 05 or installer 130), or it can provide unique features for identification and authorization so that only authorized users can use the system 400.

The system 400 architecture separates non-security related applications from security features. As shown in this example, registration authority 420, certificate authority 430, 44
0, and cooperation stations 450, 460 are their own dedicated calculation engines 425, 435, 4
Implemented as applications on their own virtual machines running on 45, 555, 465, all of which are separate from non-security related applications and features. This is a technical and security advantage and improvement over traditional systems where hardware security modules are slow, cloud service providers are unable to supply HSMs, or proper management of HSMs is uncertain. Provide both. As shown in FIG. 4, calculations such that are performed by, for example, Registration Authority 420, Certificate Authority 430, 440, and Coordination Authority 450, 460 by separating important security functions from each other into separate compute engines. Aggregate cryptographic and security functions (eg, elliptic curve butterfly extended computation or elliptic curve digital signatures) run much faster than existing registrar systems. This design allows the "bottleneck" application to be scaled as needed, significantly improving transaction processing. For example, if you need to extend the Registration Authority application running on 405 and 420, you can add additional VMs without making any changes to the 425 secure computing functions.
Alternatively, if security computation limits performance, additional secure computation engine 425 can be added. The same multidimensional scaling applies to the other 400 components. This feature significantly improves performance over other existing SCMS systems.

In various embodiments, the registration authority 405 can be a station within a provisioning network that validates user requirements for digital certificates or other types of digital security assets, such as a certificate authority (eg, certificate authority 430, 440). May be able to issue a digital certificate. In various embodiments, the registrar 405 is a public key infrastructure (
It can be similar to a registration authority known for PKI) systems. In various embodiments, the registration authority 405 is a Representational State Transfer.
(REST) Can be implemented as a web service. In various embodiments, there may be multiple instances of the registration station 405 running simultaneously, as represented by the three "stacked" rectangles shown in FIG. 4 with respect to the registration station 405. This is also expressed for the other "stacked" elements of FIG.

Registration Bureau 405 (and "D", as represented by the "DB" arrow that appears in the lower left corner of the rectangle.
The other component of FIG. 4 indicated by the "B" arrow) can be connected to the database 470. In a preferred embodiment, the database 470 is a fast access, low latency database. In some embodiments, the database 470 can be a NoSQL database or database service (eg, a DynamoDB data service provided by Amazon Web Services). In various embodiments, the data stored in the database 410 is application dependent, but may include previously issued certificates, various coordinating station values, data about the device for which the certificate was issued, operator actions, and the like. .. Note that the data may be unencrypted, encrypted, or stored in any combination thereof.

In the example shown in FIG. 4, the registration authority 405 is connected to other components, which are connected to each other by a messaging subsystem or service represented by a box 410. In some embodiments, the messaging service 410 is Am
Amazon Simple Queue Service (SQS) provided by the amazon web service
It can be a high-speed message queuing service such as.

In various embodiments, the system 400 has a registered certificate authority 430 and a pseudonym certificate authority because the digital certificate generated by the registration authority 405 is divided into different segments (eg, a registered digital certificate and a pseudonym digital certificate). Includes 440.

In various embodiments, the Coordination Bureau 450, 460 links the certificate requester's identification information (ie, the unique identifier of the certificate requester's device) to the issued pseudonym certificate for the purpose of revocation.

In various embodiments, the compute engine 425, 435, 445, 455, and 465 and the provisioning controller 120 include an HSM that allows these components to perform secure computations without being overly threatened by hackers. .. In some embodiments, the compute engines 425, 435, 445, 455, and 465 can be designed to perform the secure computation itself without the need for an embedded HSM, in such embodiments. , They embody HSM.

Those skilled in the art will appreciate that the components, processes, data, behaviors, and implementation details shown in FIG. 4 are examples presented for the sake of brevity and clarity.
This example is not intended to be limiting and many modifications are possible so that other components, processes, details of embodiments, and modifications can be used without departing from the principles of the invention.

FIG. 5 is a block diagram of an example of a computing environment 501, including a computing system 500 that can be used to implement a system and method consistent with embodiments of the present invention. Other components and / or placements can also be used. In some embodiments, the computing system 500 can be used to at least partially implement the various components of FIGS. 1-3 (eg, provisioning controllers 120 and DAMS 110, among others). In some embodiments, a set of computing systems similar to the computing system 500 are each customized with dedicated hardware and / or for implementing one of the components of FIGS. 1-3. It can be programmed as a dedicated server and can communicate with each other via network 535.

In the example shown in FIG. 5, the computing system 500 is a central processing unit (CPU) 5.
Includes many components such as 05, memory 510, input / output (I / O) equipment 525, hardware security module (HSM) 540, and non-volatile storage device 520. System 500 can be implemented in a variety of ways. For example, (server,
Implementations as an integrated platform (such as workstations, personal computers, laptops, etc.) can include CPU 505, memory 510, non-volatile storage 520, and I / O equipment 525. In such a configuration, components 505, 5
10, 520, and 525 can connect and communicate over the local data bus and can access the data repository 530 (eg, implemented as a separate database system) over an external I / O connection. can. The I / O component 525 is a direct communication link over a network such as a local area network (LAN) or wide area network (WAN, eg, a mobile phone network or the Internet) and / or over other suitable connections. (For example, wired or local W
It can be connected to an external device via (iFi connection). The system 500 may be standalone or a subsystem of a larger system.

The CPU 505 is a Core® family microprocessor manufactured by Intel® Corporation in Santa Clara, California, or an Athlon® family manufactured by AMD® Corporation in Sunnyvale, California. It can be one or more known processors or processing devices, such as a microprocessor in Intel. The memory 510 is one or more high speed storage devices configured to store instructions and information executed or used by the CPU 505 to perform specific functions, methods, and processes related to embodiments of the present invention. Can be. The storage 520 is a volatile or non-volatile, magnetic, semiconductor, tape, optical, or other type of storage device, or a computer-readable medium, including devices such as CDs and DVDs, and a solid-state device intended for long-term storage. be able to.

In the illustrated embodiment, memory 510 is loaded from storage 520 or from a remote system (not shown) to perform various actions, procedures, processes, or methods consistent with the present invention when performed by CPU 505. Includes one or more programs or applications 515 that have been created. Alternatively, the CPU 505 can execute one or more programs located remotely from the system 500. For example, system 500
A network 53 that performs functions and processes related to embodiments of the present invention at run time.
One or more remote programs can be accessed via 5.

In one embodiment, the memory 510 is a provisioning controller 120, DAMS1.
10. And / or distribution devices 108, 131 may include a program 515 for performing the special functions and operations described herein. In some embodiments, the memory 510 may also include other programs or applications that implement other methods and processes that provide auxiliary functionality to the present invention.

The memory 510 also consists of another program (not shown) unrelated to the present invention and / or an operating system (not shown) that performs some functions well known in the art when executed by the CPU 505. You can also do it. As an example, the operating system can be Microsoft Windows®, Unix®, Linux®, Apple Computers® operating system, or other operating system. Neither the choice of operating system nor the use of the operating system is important to the present invention.

The HSM 540 can be a device with its own processor that securely generates and stores digital security assets and / or securely performs various cryptographic and confidential calculations. The HSM 540 protects digital security assets such as cryptographic keys and other sensitive data from access by potential attackers. In some embodiments,
The HSM can be a plug-in card or board mounted directly on the computing system 500.

The I / O device 525 may include one or more input / output devices that allow the system 500 to receive and / or transmit data. For example, the I / O device 525 can include one or more input devices (eg, keyboard, touch screen, mouse, etc.) that allow data to be input by the user. Further, I / O device 52
5 can include one or more output devices (eg, display screens, CRT monitors, LCD monitors, plasma displays, printers, speaker devices, etc.) that allow data to be output or presented to the user. .. The I / O device 525 can also include one or more digital and / or analog communication input / output devices that allow the computing system 500 to communicate (eg, digitally) with other machines and devices. .. Other configurations and / or some input and / or output devices I /
It can be incorporated into the O device 525.

In the illustrated embodiment, the system 500 is network 535 (eg, internet, private network, virtual private network, mobile phone network, etc.
Or connected to another network, or a combination of these), network 53
The 5 can then be connected to various systems and computing machines (eg, servers, personal computers, laptop computers, client devices, etc.). Generally, the system 500 can input data from an external machine and device via the network 535 and output the data to the external machine and device.

In the exemplary embodiment shown in FIG. 5, the data source 530 is a stand-alone database outside the system 500 (eg, database 125). In other embodiments, the data source 530 may be hosted by system 500. In various embodiments, the data source 530 can manage and store the data used to implement the systems and methods consistent with the present invention. For example, the data source 530 can manage and store a data structure including the status and log information of each device 106 provisioned by the system 100.

The data source 530 may include one or more databases that store information and are accessed and / or managed through the system 500. As an example, database 53
0 can be an Oracle® database, a Sybase® database, or any other relational database. However, the systems and methods according to the invention are not limited to separate data structures or databases, or even the use of databases or data structures.

Those skilled in the art will appreciate that the details of the system components and embodiments of FIG. 5 are examples presented for the sake of brevity and clarity. Details of other components and embodiments may be used.

The above examples use specific examples of computerized devices such as OBUs, ECUs, and RSUs for clarity, but the invention is not limited to those specific examples. Various embodiments consistent with the present invention include, among other things, medical devices (eg, dialysers, injection pumps, etc.), robots, drones, autonomous vehicles, wireless communication modules (eg, embedded universal integrated circuit cards (eUICC)). Can be used with and for a wide variety of computerized devices such as.

Other embodiments of the invention will be apparent to those skilled in the art from the discussion herein and the practice of the invention disclosed herein. The specification and examples are intended to be considered as illustrative only, and the true scope of the invention is set forth by the following claims.

Claims (15)

A system for securely provisioning computerized equipment,
A first distribution device communicably connected to the computerized device, capable of receiving digital assets and operating to load the digital assets into the computerized device.
A digital asset management system that is connected to the distribution device via a first secure communication channel and can operate to generate and conditionally transmit the digital asset to the distribution device.
The digital is connected to the distribution device via a second secure communication channel, is connected to the digital asset management system via a third secure communication channel, and transmits the digital asset to the distribution device. Including a provisioning controller that can operate to direct the asset management system,
A system in which the computerized device does not function before the digital asset is loaded into the computerized device. It is connected to the digital asset management system via a fourth secure communication channel, communicably connected to the computerized device after the first distribution device is disconnected, and receives the second digital asset. Further includes a second distribution device capable of operating to load the second digital asset into the computerized device.
The provisioning controller can further operate to instruct the digital asset management system to send the second digital asset to the distribution device.
The computerized device is fully functional after the second digital asset has been loaded into the computerized device, for the safe provisioning of the computerized device according to claim 1. system. The digital asset management system is
With one or more virtual machines communicably connected to one or more compute engines that run the Registration Authority application and perform the cryptographic computations required by the Registration Authority application.
One or more virtual machines communicably connected to one or more computing engines that run a Registered Certificate Authority application and perform cryptographic calculations required by the Registered Certificate Authority application.
One or more virtual machines communicably connected to one or more compute engines that run a pseudonym certificate authority application and perform cryptographic calculations required by the pseudonym certificate authority application.
1.
Includes one or more virtual machines communicably connected to one or more compute engines that run a second Linkage Station application and perform cryptographic computations required by the Second Linkage Station application. A system for securely provisioning the computerized device according to claim 1. The digital asset management system is
The one or more virtual machines that execute the registration authority application, the one or more virtual machines that execute the registration authentication authority, the one or more virtual machines that execute the pseudonym authentication authority application, and the above. A claim further comprising a database operably connected to the one or more virtual machines running the first Coordination Station application and the one or more virtual machines running the second Coordinating Station application. A system for safely provisioning the computerized equipment according to 3. It further includes a first portal that is operably connected to the provisioning controller, authenticates the manufacturer of the computerized device, and allows the manufacturer to manage the provisioning of the computerized device. , A system for safely provisioning the computerized device according to claim 1. It further includes a second portal that is operably connected to the provisioning controller, authenticates the installer of the computerized device, and allows the installer to manage the provisioning of the computerized device. , A system for securely provisioning the computerized device according to claim 5. Billing, further comprising a third portal that is operably connected to the provisioning controller, authenticates the regulator of the computerized device, and allows the regulator to manage the provisioning of the computerized device. A system for safely provisioning the computerized device according to Item 1. The provisioning controller is further operable to send the digital asset to the distribution device for loading into the computerized device, claim 1.
A system for securely provisioning computerized equipment as described in. The system for securely provisioning a computerized device according to claim 8, wherein the digital asset is an executable code executed by the computerized device. The system for securely provisioning a computerized device according to claim 1, wherein the digital asset is at least one of a digital certificate, an encryption key, and executable software. The computerized device according to claim 1, wherein the provisioning controller can further operate to create and maintain a log associated with the digital device and storing information about the provisioning activity of the digital device. A system for provisioning to. The computerized device according to claim 11, wherein the digital asset management system can further operate to send information about the provisioning activity related to the digital device to the provisioning controller for storage in the log. A system for securely provisioning. 11. The computerized computerized device of claim 11, wherein the first distribution device is further operable to send information about the provisioning activity associated with the digital device to the provisioning controller for storage in the log. A system for securely provisioning equipment. The computerized device according to claim 1, wherein the provisioning controller can further operate to authenticate the digital device before instructing the digital asset management system to transmit the digital asset. A system for secure provisioning. The computerized device is an embedded universal integrated circuit card (eUIC).
C) A system for safely provisioning the computerized device according to claim 1.

Images